CVE-2026-49975: Remote Denial of Service via HTTP/2 HPACK Cookie Memory Amplification in Apache HTTP Server

The vulnerability designated as CVE-2026-49975 is a remote Denial of Service (DoS) flaw affecting the Apache HTTP Server's mod_http2 module. Specifically, this issue is present in versions 2.4.17 through 2.4.67 of the HTTP server. The module is responsible for handling connections using the HTTP/2 protocol, establishing stream priorities, and processing header compression.

The attack surface exists on any internet-facing endpoint running the vulnerable module with HTTP/2 enabled. The vulnerability belongs to the CWE-789 class, which involves allocating memory with an excessive size value or accumulating repeated unchecked allocations. An unauthenticated remote attacker can exploit this flaw to cause severe memory exhaustion, leading to a complete Denial of Service across the target system.

The exploitation technique combines HPACK dynamic table referencing with HTTP/2 stream flow control parameters. Because the attack relies entirely on protocol-compliant structures, standard web application firewalls and intrusion prevention systems often fail to recognize the request sequence as malicious. The result is a highly effective, low-bandwidth attack that can crash major web server instances.

The root cause of CVE-2026-49975 lies in how the mod_http2 module processes HTTP/2 headers compressed with the HPACK protocol (RFC 7541). HPACK optimizes header transmission by maintaining a dynamic table of key-value pairs. Senders can transmit a single byte to reference a previously indexed header. In this vulnerability, the attacker targets how split cookie crumbs are processed and merged by the server.

According to the HTTP/2 specification (RFC 9113 §8.2.3), clients are permitted to split a single Cookie header into separate header fields for transmission. When mod_http2 encounters multiple cookie fields in a stream, it concatenates them using a semicolon and space separator. This concatenation relies on the Apache Portable Runtime (APR) memory pool structure (apr_pool_t) assigned to the active connection stream.

Because APR memory pools can only free memory concurrently when the parent stream is destroyed, every call to the concatenation function (apr_psprintf) allocates a fresh string buffer in the pool. The old, partially built cookie strings remain orphaned inside the pool but continue to consume memory. This design choice creates a quadratic memory growth complexity relative to the number of cookie crumbs processed. Senders can bypass the standard LimitRequestFields protection because the merging routine fails to increment the processed header count.

To understand the exact mechanics, we analyze the vulnerable code path in the mod_http2/h2_util.c file within the req_add_header function. The original processing block checked for the presence of multiple cookies and attempted to merge them directly into the current memory pool.

/* Vulnerable code structure */
static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
             && !ap_cstr_casecmpn("cookie", (const char *)nv->name, nv->namelen)) {
    existing = apr_table_get(headers, "cookie");
    if (existing) {
        /* Cookie headers come separately in HTTP/2, but need to be merged */
        apr_table_setn(headers, "Cookie",
                       apr_psprintf(pool, "%s; %.*s", existing,
                                    (int)nv->valuelen, nv->value));
        return APR_SUCCESS;
    }
}

In the code above, there is no check on whether the incoming cookie crumb contains any actual data. Furthermore, the successfully merged crumb does not set any flag to signify that a header was added. As a result, the parser processes thousands of individual crumbs without updating the tracker that enforces the LimitRequestFields boundary.

/* Patched code structure */
static apr_status_t req_add_header(apr_table_t *headers, apr_pool_t *pool,
             && !ap_cstr_casecmpn("cookie", (const char *)nv->name, nv->namelen)) {
    existing = apr_table_get(headers, "cookie");
    if (existing) {
        if (!nv->valuelen)
            return APR_SUCCESS;
        /* Cookie headers come separately in HTTP/2, but need to be merged */
        apr_table_setn(headers, "Cookie",
                       apr_psprintf(pool, "%s; %.*s", existing,
                                    (int)nv->valuelen, nv->value));
        *pwas_added = 1; /* Fix: Enforce LimitRequestFields */
        return APR_SUCCESS;
    }
}

The patched code resolves both flaws. First, it immediately returns APR_SUCCESS if the incoming cookie value length is zero, halting allocation attempts. Second, it sets the pointer *pwas_added = 1. This informs the caller that an additional header field was processed, allowing the server to enforce the LimitRequestFields restriction. This modification terminates the cumulative loop before significant host resources are consumed.

Exploitation of CVE-2026-49975 requires no prior authentication and can be completed remotely over any network connection where HTTP/2 is negotiated. The attacker begins by initializing an HTTP/2 connection and establishing flow control parameters. Crucially, the attacker transmits a SETTINGS frame that defines the initial stream window size (SETTINGS_INITIAL_WINDOW_SIZE) to exactly 0 bytes.

Next, the attacker sends a request containing standard pseudo-headers and defines a cookie entry to seed the HPACK dynamic table, typically mapped to index 62. The attacker then transmits thousands of one-byte indexed references pointing to this entry. This action triggers the vulnerable merging routine in the Apache process, resulting in the quadratic allocation of memory pools.

Because the flow control window is set to 0, the server is forbidden from flushing the HTTP response payload over the network. The server is forced to hold the entire request state in RAM, keeping the bloated memory pool active. To maintain this state without triggering connection or socket timeouts, the attacker sends a slow, periodic drip of 1-byte WINDOW_UPDATE frames or standard PING frames. This holds the TCP connection open indefinitely, pinning gigabytes of memory across multiple parallel streams.

The impact of CVE-2026-49975 is classified as high-severity Denial of Service. While some unauthorized Proof-of-Concept sources attribute a CVSS score of 9.8 to this CVE, the formal consensus rating is 7.5. The primary security consequence is complete service unavailability due to physical memory exhaustion.

An attacker can open multiple concurrent TCP connections, each containing dozens of active HTTP/2 streams. By driving memory allocation into a quadratic curve and holding the connection state open, a single resource-constrained client can exhaust several gigabytes of server RAM. This triggers swap-space thrashing, degrading operating system performance for all co-hosted services.

Ultimately, the kernel-level Out-Of-Memory (OOM) killer is triggered. This routinely results in the forceful termination of the Apache parent or child processes, rendering the web server offline. Because the attack requires negligible bandwidth to construct the compressed HPACK payloads, it acts as a significant asymmetric threat to web infrastructure.

Remediating CVE-2026-49975 requires updating the affected Apache HTTP Server installation to version 2.4.68 or later. If utilizing standalone module packages, the mod_http2 library must be upgraded to version 2.0.41 or higher. These updates contain the necessary checks to limit merged headers and prevent empty-crumb processing.

In environments where immediate software upgrades are not possible, administrators should disable HTTP/2 support to mitigate risk. This can be achieved by removing h2 and h2c from the configuration. Specifically, modify the Protocols directive in httpd.conf to fallback to HTTP/1.1.

# Disable HTTP/2 to prevent HPACK exploitation
Protocols http/1.1

Additionally, defense-in-depth measures should be deployed to limit the blast radius of memory exhaustion. Administrators can configure systemd memory constraints or shell limits on Apache worker processes. Setting a maximum virtual memory limit ensures that any abnormal worker process is safely terminated and respawned before physical system RAM is exhausted.